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(57) A method for providing secure remote control 
commands in a distributing computer environment. In 
the preferred embodiment of the invention, a network 
administrator or network management software creates 
a shutdown record, including an index or time stamp, for 
powering down a specified network computer(s). Prior 
to broadcast over the network, a secure one-way hash 
function is performed on the shutdown record. The re- 
sult of the one-way hash function is encrypted using the 
network administrator's private key, thereby generating 
a digital signature that can be verified by specially con- 
figured network nodes. The digital signature is append- 
ed to the original shutdown record prior to broadcast to 
the network. Upon receiving the broadcast message, 
the targeted network computer(s) validates the broad- 
cast message by verifying the digital signature of the 
packet or frame. The validation process is performed by 
decrypting the hash value representation of the shut- 
down record using the network administrator's public 
key. A one-way hash function is also performed on the 
original shutdown record portion of the received mes- 
sage. If the two values match, the broadcast message 
is determined to be authentic and the shutdown control 
code is executed. The invention insures that the shut- 
down command was neither modified in transit nor orig- 
inated from an unauthorized source. 
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Description 

[0001] The invention relates to security in a computer 
network, and more particularly to a secure method for 
communicating remote control commands in a distribut- 
ed computing environment. 

[0002] A majority of today's businesses utilize some 
form of computer network. As servers and clients are 
deployed into more mission critical environments and 
used in more remote areas, the amount of human re- 
sources required to manage these computer networks 
is growing. Computer networks are often maintained by 
either a network administrator or an Information Sys- 
tems (IS) department. Network administrators are often 
tasked with performing such duties as data backups or 
software updates on network computers at times when 
network users will not be negatively impacted (e.g., at 
night). These tasks are simplified somewhat by relative- 
ly new network management hardware and software 
that allows remote access to network computers. To re- 
motely access network computers, however, requires 
that network users leave machines running or disable 
energy saving features. This requirement can conflict 
with efforts to reduce computer power consumption. 
[0003] In particular, the Environmental Protection 
Agency (EPA) has attempted, through the Energy Star 
Program, to reduce computer power consumption via 
the creation of so-called "green" computers. The term 
"green computer" typically refers to a computer that en- 
ters low-power mode following a specified period of in- 
activity. -The proliferation of green computers in net- 
works, while laudable, can interfere with a network ad- 
ministrator's duties. For example, if a network computer 
is in sleep mode (or other low power state) it often can- 
not be addressed from the network. 
[0004] Attempts have been made to alleviate this 
problem. For example, Magic Packet™ technology, a 
proposed industry standard jointly developed by Ad- 
vanced Micro Devices and Hewlett-Packard Corpora- 
tion, provides a mechanism whereby a network admin- 
istrator or network management software can "wake up" 
or power down a network computer by sending it a spe- 
cial Ethernet frame. Briefly, the Ethernet frame includes 
a specific data pattern that can be detected by a spe- 
cially configured network interface controller incorporat- 
ed in a network computer. The network interface con- 
troller is capable of communicating with the network 
computer's power management hardware or software 
to power up or power down the network computer in re- 
sponse to a control code portion of the special Ethernet 
frame. 

[0005] In addition to networking hardware and soft- 
ware, today's businesses also invest large amounts of 
money developing information contained in data files 
such as text documents and spreadsheets. Protecting 
such investments can be critical to the success and rep- 
utation of a business. Public accounts of the exploits of 
computer "hackers" as malicious code-breakers or 



eavesdroppers are sometimes called - have therefore 
focussed and magnified corporate desires for secure 
communications and better methods of protecting data. 
The scope of the problem is undoubtedly even more se- 
s rious than reported, given the reluctance of many busi- 
nesses to publicize security breaches. As a result, com- 
puter manufacturers and network software developers 
are striving to incorporate security and integrity features 
into their products to restrict access to data contained 
10 on network hard drives, as well as information contained 
in other critical network components. 
[0006] One known approach to security involves en- 
cryption or cryptography. Cryptography is typically used 
to protect both data and communications. Generally, an 
is original message or data item is referred to as "plain 
text", while 'encryption" denotes the process of disguis- 
ing or altering a message in such a way that its sub- 
stance is not readily discernable. An encrypted mes- 
sage is sometimes called "ciphertext". Ciphertext is re- 
20 turned to plain text by an inverse operation referred to 
as "decryption". Encryption is typically accomplished 
through the use of a cryptographic algorithm, which is 
essentially a mathematical function. The most common 
cryptographic algorithms are key-based, where special 
25 knowledge of variable information called a "key" is re- 
quired to decrypt ciphertext. There are many types of 
key-based cryptographic algorithms, providing varying 
levels of security. 

[0007] The two most prevalent cryptographic algo- 
30 rithms are generally referred to as "symmetric" (also 
called secret key or single key algorithms) and "public 
key" (also called asymmetric algorithms). The security 
in these algorithms is entered around the keys -- not the 
details ofthe algorithm itself. This makes it possible to 
35 publish the algorithm for public scrutiny and then mass 
produce it for incorporation into security products. 
[0008] In symmetric algorithms, the encryption key 
and the decryption key are the same. This single key 
encryption arrangement is not without drawbacks. The 
40 sender and recipient of a message must somehow ex- 
change information regarding the secret key Each side 
must trust the other not to disclose the key. Further, the 
sender must generally communicate the key via another 
media (similar to a bank sending the personal identifi- 
es cation number for an AIM card through the mail). This 
arrangement can be impractical, for example, when the 
parties interact electronically for the first time over a net- 
work. The number of keys also increases rapidly as the 
number of users increases. 
so [0009] With public key algorithms, by comparison, the 
key used for encryption is different from the key used 
for decryption. It is generally very difficult to calculate 
the decryption key from an encryption key. In typical op- 
eration, the "public key" used for encryption is made 
55 public via a readily accessible directory, while the cor- 
responding "private key" used for decryption is known 
only to the recipient ofthe ciphertext. In an exemplary 
public key transaction, a sender retrieves the recipient's 
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public key and uses it to encrypt the message prior to 
sending it. The recipient then decrypts the message with 
the corresponding private key. It is also possible to en- 
crypt a message using a private key and decrypt it using 
a public key. This is sometimes used in digital signatures 
to authenticate the source of a message. 
[0010] The number of cryptographic algorithms is 
constantly growing. The two most popular are DES (Da- 
ta Encryption Standard) and RSA (named after its in- 
ventors - Rivest, Shamir, and Adleman). DES is a sym- 
metric algorithm with a fixed key length. RSA is a public 
key algorithm that can be used for both encryption and 
digital signatures. DSA (Digital Signature Algorithm) is 
another popular public key algorithm that is only used 
for digital signatures. With any of these algorithms, the 
relative difficulty of breaking an encrypted message by 
guessing a key with a brute force attack is proportional 
to the length of the key For example, if the key is 40 bits 
long (5 characters), the total number of possible keys 
(2 40 ) is about 1 1 0 billion. Given the computational power 
of modern computers, this value is often considered in- 
adequate. By comparison, a key length of 56 bits (7 
characters) provides 65,636 times as many possible 
values as the 40 bit key. 

[0011] One problem with key-based algorithms is 
speed. Public key algorithms, in particular, are typically 
on the order of 1 ,000 times slower than symmetric algo- 
rithms. Even symmetric algorithms can be slow when 
compared with so-called "one-way functions" or "one- 
way hash functions". 

[001 2] Briefly, an ideal one-way hash function, denot- 
ed H(M), operates on an arbitrary- length block oftext or 
message M. The one-way hash function returns a fixed- 
length hash value, h, such that h = H(M), where h is 
oflength m. One-way hash functions have special char- 
acteristics that make them one-way. Given M, for exam- 
ple, it is easy to compute h. Given h, it is impossible to 
reverse the hashing process and compute M such that 
H(M) - h. Further, it is impossible to find another mes- 
sage, M\ such that H(M) = H(M'). In essence, the one- 
way hash function provides a "fingerprint" of M that is 
unique, and is therefore useful for purposes of authen- 
ticating the source of a message. 
[0013] Briefly, a computer system according to the 
present invention provides a secure method for commu- 
nicating remote control commands in a distributed com- 
puting environment. A potential problem with providing 
remote control capabilities in a computer network is that 
unauthorized users may broadcast shutdown or wake 
up commands to network nodes in an undesirable man- 
ner. A system according to the present invention ad- 
dresses this concern. 

[001 4] According to the invention, a network adminis- 
trator or network management software creates a shut- 
down (or other control command) record including an 
index or time stamp with the date and time on which the 
shutdown record was created. A secure one-way hash 
function is then performed on the shutdown record. The 



result of the one-way hash function is encrypted using 
the network administrator's private key, thereby gener- 
ating a digital signature ofthe shutdown record that can 
be verified by network nodes using the network admin- 
s istrator's public key. The digital signature is appended 
to the original shutdown record prior to broadcast to the 
network. 

[0015] Following detection of a broadcast message 
addressed to it, a network computer according to the 

10 invention is able to validate the broadcast message by 
verifying the digital signature of the packet or frame. In 
the disclosed embodiment, the validation process is per- 
formed by decrypting the hash value representation of 
the shutdown record using the network administrator's 

is public key. A one-way hash function is also performed 
on the original shutdown record portion of the received 
message. If the two hash values match, the broadcast 
message is determined to be authentic and the shut- 
down control code is executed. 

20 [001 6] The present invention thereby protects and au- 
thenticates remote control commands transmitted via 
corporate networks, intranets and LANs. Unauthorized 
users and malicious software are prevented from turn- 
ing off (or waking up) network computers or performing 

2S other unauthorized functions such as malicious altera- 
tion of ROM code. For machines in which it is desirable 
to disable remote control functionality, it is also contem- 
plated that the public key ofthe network administrator 
can be invalidated such that the specified machine is 

30 incapable of detecting a valid broadcast message. 
[001 7] A better understanding ofthe present invention 
can be obtained when the following detailed description 
of the preferred embodiment is considered in conjunc- 
tion with the following drawings, in which: 

3S 

Figure t is a schematic block diagram ofa network 
computer system incorporating networking capabil- 
ities in accordance with the present invention; 
Figure 2 is a schematic block diagram of an exem- 
40 piary local area network capable of secure remote 
control communications according to the present in- 
vention; 

Figure 3 is a flowchart diagram illustrating genera- 
tion of a secure network broadcast message in ac- 
45 cordance with the present invention; and 

Figure 4 is a flowchart diagram illustrating the re- 
ceipt and validation of a secure network broadcast 
message in accordance with the present invention. 

so [001 8] The following patents and applications are ref- 
erenced below: 

Commonly owned U.S. Patent Application Serial 
No. 08/766,721, entitled "A METHOD AND APPA- 
55 RATUS FOR ALLOWING ACCESS TO SECURED 
COMPUTER RESOURCES BY UTILIZING A 
PASSWORD AND EXTERNAL ENCRYPTION AL- 
GORITHM", filed on December 13, 1996; 
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Commonly owned EP-A-0 851 335, entitled "SE- 
CURE TWO-PIECE USER AUTHENTICATION IN 
A COMPUTER NETWORK"; and 
Commonly owned U.S. Patent Application Serial 
No. 08/777,615, entitled "METHOD FOR SECURE- 
LY CREATING, STORING AND USING ENCRYP- 
TION KEYS IN A COMPUTER SYSTEM", filed on 
December 31, 1996. 

[0019] Referring first to Figure 1 1 a network computer 
system incorporating networking capabilities in accord- 
ance with the present invention is shown. In the pre- 
ferred embodiment, the network computer S incorpo- 
rates two primary buses: a Peripheral Component Inter- 
connect (PCI) bus P which includes an address/data 
portion and a control signal portion; and an Industry 
Standard Architecture (ISA) bus I which includes an ad- 
dress portion, a data portion, and a control signal por- 
tion. The PCI and ISA buses P and I form the architec- 
tural backbone of the network computer S. 
[0020] A CPU/memory subsystem 100 is connected 
to the PCI bus P. The processor 102 is preferably the 
Pentium® or Pentium II® processor from Intel Corpora- 
tion, or any number of similar or next-generation proc- 
essors. The processor 102 drives data, address, and 
control portions 116, 106, and 108 of a host bus HB. A 
level 2 (L2) or external cache memory 104 is connected 
to the host bus HB to provide additional caching capa- 
bilities that improve the overall performance of the net- 
work computers. The L2 cache 104 may be permanent- 
ly installed or may be removable if desired. Alternatively, 
the L2 cache 104 may be embodied within the 102. A 
cache and memory controller 110 and a PCI-ISA bridge 
chip 1 30 are connected to the control and address por- 
tions 108 and 106 ofthe host bus HB. The cache and 
memory controller chip 110 is configured to control a se- 
ries of data buffers 112. The data buffers 112 are pref- 
erably the 82433LX from Intel, and are coupled to and 
drive the host data bus 116 and a MD or memory data 
bus 118 that is connected to a memory array 114. A 
memory address and memory control signal bus is pro- 
vided from the cache and memory controller 110. 
[0021] The data buffers 112, cache and memory con- 
troller 110, and PCI-ISA bridge 1 30 are all connected to 
the PCI bus P. The PCI -ISA bridge 1 30 is used to convert 
signals between the PCI bus P and the ISA bus I. The 
PCI-ISA bridge 130 includes: the necessary address 
and data buffers, arbitration and bus master control logic 
for the PCI bus P, ISA arbitration circuitry, an ISA bus 
controller as conventionally used in ISA systems, an IDE 
(intelligent drive electronics) interface, and a DMA con- 
troller. A hard disk drive 140 is connected to the IDE 
interface ofthe PCI-ISA bridge 130. Tape drives, CD- 
ROM devices or other peripheral storage devices (not 
shown) can be similarly connected. 
[0022] In the disclosed embodiment, the PCI-ISA 
bridge 130 also includes miscellaneous system logic. 
This miscellaneous system logic contains counters and 
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activity timers as conventionally present in personal 
computer systems, an interrupt controller for both the 
PCI and ISA buses P and I, and power management 
logic. Additionally, the miscellaneous system logic pref- 
s erably includes circuitry for a security management sys- 
tem used for password verification and to allow access 
to protected resources. For example, the PCI-ISA 
bridge 130 ofthe disclosed embodiment includes vari- 
ous address decode logic and security logic to control 
10 access to an internal or external CMOS/NVRAM mem- 
ory (not shown) and stored password values. The 
CMOS/NVRAM memory is coupled to the PCI-ISA 
bridge 130 via a standard l 2 C bus (also not shown). 
[0023] The PCI-ISA bridge 1 30 also includes circuitry 
15 to generate a firmware initiated SMI (System Manage- 
ment Interrupt), as well as SMI and keyboard controller 
interface circuitry. The miscellaneous system logic is 
connected to the flash ROM 154 through write protec- 
tion logic 164. Separate enable/interrupt signals are al- 
so communicated from the PCI-ISA bridge 130 to the 
hard drive 140, Preferably, the PCI-ISA bridge 130 is a 
single integrated circuit, but other combinations are pos- 
sible. 

[0024] A series of ISA slots 1 34 are connected to the 
ISA bus I to receive ISA adapter cards. A series of PCI 
slots 142 are similarly provided on the PCI bus P to re- 
ceive PCI adapter cards. 

[0025] A video controller 1 65 is also connected to the 
PCI bus P. Video memory 166 is used to store graphics 
data and is connected to the video graphics controller 
1 65 and a digital/analog converter (RAMDAC) 1 68. The 
video graphics controller 165 controls the operation of 
the video memory 166, allowing data to be written and 
retrieved as required. A monitor connector 1 69 is con- 
nected to the RAMDAC 168 for connecting a monitor 
170. 

[0026] A combination I/O chip 136 is connected to the 
ISA bus I. The combination I/O chip 136 preferably in- 
cludes a real time clock, two UARTS, and a floppy disk 
controller for controlling a floppy disk drive 1 38. Addi- 
tionally, a control line is provided to the read and write 
protection logic 164 to further control access to the flash 
ROM 154. Serial port connectors 146 and parallel port 
connector (not shown) are also connected to the com- 
bination I/O chip 136. 

[0027] An 8042, or keyboard controller, is also includ- 
ed in the combination I/O chip 136. The keyboard con- 
troller is of conventional design and is connected in turn 
to a keyboard connector 1 58 and a mouse or pointing 
device connector 160. A keyboard 159 is connected to 
the network computer S through the keyboard connec- 
tor 158. 

[0028] A buffer 144 is connected to the ISA bus I to 
provide an additional X-bus X for various additional 
components ofthe network computer S. A flash ROM 
154 receives its control, address and data signals from 
the X-bus X. Preferably, the flash ROM 1 54 contains the 
BIOS information for the computer system and can be 
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remotely reprogrammed to allow tor revisions of the BI- 
OS. 

[0029] In the disclosed embodiment, the network 
computer S contains circuitry tor communicating with a 
removable cryptographic token 188. The token can take 
many forms, such as a Touch Memory™ device sup- 
plied by Dallas Semiconductor, Inc., a smart card, or an 
encryption card. The token 1 88 is easily decoupled from 
the network computer S and easily transportable by the 
token bearer. The token 188 preferably contains at least 
one of a variety of encryption algorithms (such as DES, 
Blowfish, elliptic curve-based algorithms, etc.). Al- 
though the base algorithm can be the same in each to- 
ken 188, it is desirable that the encryption key be differ- 
ent in each token 188. Ideally, the token 188 is capable 
of communicating digitally with the network computer S 
during momentary contact with or proximity to the net- 
work computer S. The token 188 of the disclosed em- 
bodiment is capable of storing the encryption algorithm 
in a non-volatile manner and can be permanently write- 
protected to discourage tampering. Use of such tokens 
is further described in the previously incorporated patent 
application entitled °A METHOD AND APPARATUS 
FOR ALLOWING ACCESS TO SECURED COMPU- 
TER RESOURCES BY UTILIZING A PASSWORD AND 
AN EXTERNAL ENCRYPTION ALGORITHM". 
[0030] In the disclosed embodiment of the invention, 
the circuitry used for establishing a communication link 
between the token 1 88 and the network computer S con- 
sists of a probe 186 connected to a COM or serial port 
adapter 184. The port adapter 184 is connected to the 
RS232 connector 1 46. In operation, the token 1 88 is de- 
tachably received by the probe 186. The probe 186 in- 
cludes circuitry for reading and writing memory in the 
token 188, and can be fully powered through the RS232 
connector .1 46. In addition, the probe 1 86 includes pres- 
ence detector circuitry for ascertaining the presence of 
a token 188. 

[0031] A network interface controller (NIC) 122 incor- 
porating remote control capabilities, such as those de- 
scribed more fully below, is also connected to the PCI 
bus P, allowing the network computer S to function as a 
"node" on a network. Preferably, the network interface 
controller 1 22 is a single integrated circuit that includes 
the capabilities necessary to act as a PCI bus master 
and slave, as well as circuitry required to act as an Ether- 
net interface. Attachment Unit Interface (AUI) and 10 
base-T connectors (not shown) are provided in the sys- 
tem S, and are connected to the NIC 1 22 via filter and 
transformer circuitry. This circuitry forms a network or 
Ethernet connection for connecting the network compu- 
ter S to a distributed computer environment or local area 
network (LAN) as shown in Figure 2. The network inter- 
face controller 1 22 can be located on the motherboard 
and connected to a network via an RJ-45 connector (not 
shown). This configuration is becoming more popular as 
Ethernet gains widespread acceptance for desktop net- 
working. 



[0032] Most oftoday's personal computers also incor- 
porate some form ofadvanced power management 
hardware/software 180 (such as Compaq Power Man- 
agement Software) for controlling power distribution 

5 from a power supply 1 82. The power management hard- 
ware/software 180 typically allows the network compu- 
ter S to be placed in any one of a number of different 
power down states, from merely reducing processor 
clock speed to powering down everything except the 

10 network interface controller 122. In a typical computer 
system S, the power management hardware/software 
180 scans for any one of several events that serve to 
wake up the system. Such events may include keyboard 
1 5g keystrokes or mouse movement. A Magic Packet™ 

15 indication signal can easily be included among the spec- 
ified wake-up or power down events. 
[0033] The network interface controller 122 is sup- 
plied with power by an auxiliary portion of power source 
182 and is capable of communicating with a network 

20 (see Figure 2). Further, with the Magic Packet™ mode 
(discussed more fully below) enabled, the network in- 
terface controller 122 is capable of alerting the network 
computer's S power management hardware/software 
180 following receipt of a valid Magic Packet™ frame. 

2S Conversely, the computer's power management hard- 
ware/software 180 is able to place the network interface 
controller 1 22 into Magic Packet™ mode prior to the 
computer system S entering a low power state. This can 
be accomplished, for example, by either setting a bit in 

30 an internal register or by driving a specified pin to a spec- 
ified state. Once in Magic Packet™ mode, the network 
interface controller 1 22 no longer transmits frames, and 
scans all incoming frames addressed to it for a specific 
datasequenceindicatingthattheframeisaMagic Pack- 
as et™ frame. The Magic Packet™ frame must comply with 
the basic requirements of the chosen LAN technology, 
such as source address, destination address, andCRC. 
[0034] The precise nature ofthe remote control net- 
working mechanism is not considered critical to the in- 

40 vention and can take many forms, even within the con- 
fines of the Magic Packet™ standard. Most network in- 
terface controllers 122 already incorporate address 
matching circuitry to recognize regular frames address 
to the node. This circuitry can generally be adapted for 

45 use with the Magic Packet™ standard. Counter circuitry, 
in particular, may need to be added to the address 
matching circuitry. 

[0035] It is noted that Figure 1 presents an exemplary 
embodiment of the network computer S and it is under- 
go stood that numerous other effective embodiments ca- 
pable of operation in accordance with the present inven- 
tion could readily be developed as known to those 
skilled in the art. 

[0036] Referring now to Fig. 2, an exemplary distrib- 
55 uted access environment capable of secure remote con- 
trol communications according to the present is shown. 
The disclosed network 200 includes a network adminis- 
trator computer 202 and a plurality of network comput- 
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ers S, depicted as network computers 204, 206 and 208. 
A network interlace controller 21 4 ofthe network admin- 
istrator computer 202 communicates with a network in- 
terface controller 1 22 in each ofthe network computers 
S. Components ofthe network 200 are coupled via a net- 
work connection 208. Although Magic Packet™ or sim- 
ilar technology is not limited to anyone particular type 
of network connection 208, a 10BASE-T, 100-BASE-T, 
or similar connection 208 is preferred. 
[0037] As described more fully in conjunction with Fig- 
ure 3, when the network administrator desires to shut 
down or activate a particular network computer 204, 
206, or 208, a shutdown record 210 is generated. Prior 
to communication oyer the network, a digital signature 
of the shutdown record is generated (at element 212). 
The digital signature is created by first performing a one- 
way hash function on the shutdown record, followed by 
encrypting the resulting value with the network admin- 
istrator's private key. The digital signature is then ap- 
pended to the shutdown record prior to broadcasting 
over the network via network interface controller 214. 
[0038] The encryption algorithms utilized in element 
212 can take many forms, including all ofthe aforemen- 
tioned algorithms. The encryption processes are prefer- 
ably carried out in secure memory that is not readable 
or writeable and cannot be "sniffed" by surreptitious pro- 
grams or viruses having the ability to monitor and inter- 
cept processes running in normal memory. Such a mem- 
ory configuration is disclosed, for example, in "METHOD 
FOR SECURELY CREATING, STORING AND USING 
ENCRYPTION KEYS IN A COMPUTER SYSTEM," pre- 
viously incorporated by reference. It is also contemplat- 
ed that the shutdown record itself could be similarly en- 
crypted prior to broadcast over the network 200. 
[0039] The network administrator computer 202 pref- 
erably includes network management software such as 
Compaq Insight Manager. Such software solutions al- 
low an administrator to control and interrogate multiple 
network computers S and download software (e.g., up- 
dated ROM code) to network computers S while they 
are fully powered. The network management software 
may incorporate server- or client-based management 
data collection "agents" and allow network administra- 
tors to remotely track and update network node config- 
urations throughout a network 200. 

REMOTE CONTROL CAPABILITIES 

[0040] In a system implemented according to the 
Magic Packet™ specification, a method is provided 
whereby a network administrator or network manage- 
ment software can remotely activate a sleeping network 
computer S. On the receiving side of the network 200, 
this is accomplished by enabling power to the network 
interface controller 1 22 of a particular network computer 
S even while the network computer S is in a low power 
state. The network interface controller 122 monitors the 
network 200 for a specific Ethernet frame. Each ma- 



chine on the network is identified by a unique address. 
In the special Ethernet frame, the targeted network com- 
puter's S unique address is repeated sixteen times in a 
row anywhere within the data field of a valid network 
5 frame, serving as a wake-up call. This special frame is 
referred to as a Magic Packet™ frame. 
[0041] As noted, the computer system S also includes 
power management hardware/software 180 that func- 
tions to apply power to the network interface controller 

10 122 when Magic Packet™ mode is enabled. This proc- 
ess can be accomplished through BIOS or other soft- 
ware that is generally aware of the state ol the system 
and capable of setting a bit in the network interface con- 
troller 122 to enable Magic Packet™ mode. Alternative- 
's |y, a network operating system driver configured to mon- 
itor Advanced Power Management (APM) calls could be 
utilized to enable and disable Magic Packet™ mode. 
[0042] Through the specialized hardware/software, 
the network interface controller 122 is also capable of 

20 signalling the power management hardware/software 
180 to enable power to the network computer S follow- 
ing receipt of a valid Magic Packet™ frame. This signal 
can be considered analogous to a wake-up event such 
as a keyboard keystroke or mouse movement. In a con- 

25 templated embodiment of the invention, ROM POST 
code functions to boot the computer system S and return 
the network interface controller to a normal operating 
mode following receipt of a wake-up event. 
[0043] A Magic Packet™ frame for use with the dis- 

30 closed embodiment includes sixteen duplications ol the 
address of a particular network computer S, with no 
breaks or interruptions. The address sequence can be 
located anywhere within the Magic Packet™ frame, but 
is proceeded by a synchronization stream that simplifies 

35 the scanning state machine ofthe network interface con- 
troller 122. The synchronization frame is defined as six 
bytes of B FFh°. Preferably, the network interface control- 
ler 122 also accepts routed or MULTICAST frames in- 
cluding the sixteen duplications of the address matching 

40 the address of the targeted network computer S. 

[0044] As an example, assume the address for a par- 
ticular node on the network is 44h 55h 66h 77h 88h 99h. 
In this situation, the network interface controller 122 oft- 
hat node scans for the following data sequence in an 

45 Ethernet frame: 

[0045] DESTINATION SOURCE MISC FF FF FF FF 
FF FF 44 55 66 77 88 99 44 55 66 77 88 99 44 55 66 
77 88 99 44 55 66 77 88 99 44 55 66 77 88 99 44 55 66 
77 88 99 44 55 66 77 88 99 44 55 66 77 88 99 44 55 66 

SO 77 88 99 44 55 66 77 88 99 44 55 66 77 88 99 44 55 66 
77 88 99 44 55 66 77 88 99 44 55 66 77 88 99 44 55 66 
77 88 99 44 55 66 77 88 99 MISC CRC. 
[0046] Referring now to Figure 3 a flowchart diagram 
illustrating generation of a secure network broadcast 

55 message in accordance with the present invention is 
shown. Following commencement of the procedure in 
step 300, control proceeds to step 302 where the net- 
work administrator or network management software 
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creates a shutdown record for one or more network 
computers S. When implemented using the Magic Pack- 
et™ technology, the shutdown message includes the 
aforementioned specific data sequence addressing the 
desired network computers S and indicates to the net- 
work interface controllers 122 of these nodes that a 
Magic Packet™ frame is being broadcast. The shut- 
down record also includes a control code directing the 
desired network nodes to enter a low power state. Also 
included is a secure index (e.g., a time stamp indicating 
the date and time on which the shutdown record is cre- 
ated). 

[0047] Control next proceeds to step 304 and a se- 
cure one-way hash function is performed on the shut- 
down record, resulting in a hash code representation of 
the record. In practice, public key algorithms, although 
capable, are often inefficient when used to sign long 
documents. In the preferred embodiment ofthe inven- 
tion, this problem is addressed by generating a one-way 
hash ofthe shutdown record prior to encryption with the 
network administrator's public key. The hash value is 
commonly limited to a predetermined length. 
[0048] Preferably, the one-way hash function is per- 
formed in a secure manner resistant to snooping or at- 
tack by malicious code. Contemplated methods for ac- 
complishing the secure one-way hash function include 
■ those illustrated in the previously incorporated referenc- 
es entitled: "SECURE TWO-PIECE USER AUTHENTI- 
CATION IN A COMPUTER NETWORK" and "METHOD 
FOR SECURELY CREATING, STORING AND USING 
ENCRYPTION KEYS IN A COMPUTER SYSTEM". 
[0049] Following completion of step 304, control next 
proceeds to step 306 and the secure hash code repre- 
sentation ofthe shutdown record is encrypted utilizing 
the network administrator's private key. Again, the en- 
cryption process is preferably performed in a secure 
manner. In essence, step 306 produces a digital signa- 
ture ofthe shutdown record that is then appended to the 
original shutdown record in step 308. Control proceeds 
to step 310 and the encrypted hash of the shutdown 
record, in addition to the original shutdown record, is 
broadcast to a computer network such as that depicted 
in Figure 2. Control then proceeds to optional step 312 
and the network computers' S responses to the broad- 
cast message are recorded. 

[0050] Referring nowto Figure 4, a flow chart diagram 
is provided illustrating the receipt and validation of the 
secure network broadcast message in accordance with 
the preferred embodiment of the present invention. This 
procedure is typically used to verify that the broadcast 
message was neither modified in transit nor originated 
from an unauthorized source. Following commence- 
ment ofthe procedure in step 400, control proceeds to 
step 402 where the network interface controller 122 of 
the network computer S detects and scans all broadcast 
messages (or incoming frames). 
[0051] Following detection of a broadcast message, 
control proceeds to step 404 where the network inter- 



face controller 1 22 examines the broadcast message for 
a specific data sequence, indicating that the message 
contains a Magic Packet™ frame. The broadcast mes- 
sage is also examined to determine if it is addressed to 

s the receiving network computer S. If not, control loops 
to step 406 and the network interface controller 122 
awaits the next broadcast message. 
[0052] If the receiving network computer S deter- 
mines that the broadcast message is directed to it as 

10 determined in step 404, control proceeds to step 408 
where the digital signature or encrypted hash portion of 
the received message is decrypted using the adminis- 
trator's public key. Control next proceeds to step 410 
where the network interface controller 122 or other sys- 

*5 tern component performs a one-way hash function on 
the shutdown record portion ofthe received message. 
The decrypted hash of step 408 and the hash function 
result of step 410 are then compared in step 412. If the 
two hash values do not match, the broadcast message 

20 fails the verification process and control is returned to 
step 406 to await the next broadcast message. If the 
broadcast message is validated as secure in step 412, 
control proceeds to step 414 and the receiving network 
computer S broadcasts an optional acknowledgement 

25 message. Control proceeds to step 416 and the shut- 
down control code of the broadcast message is execut- 
ed by the receiving network computer S, which either 
enters a low power state, awakens, or performs some 
other predetermined function. The verification process 

30 is ended step in 41 8. 

[0053] For machines in which it is desirable to disable 
remote control functionality, it is contemplated that the 
public key ofthe network administrator can be invalidat- 
ed such that the specified machine is incapable of de- 

35 tecting a valid broadcast message. This may be desir- 
able for use with network components containing critical 
or highly sensitive information. 
[0054] Thus, a method has been described for provid- 
ing secure remote control commands in a distributing 

40 computer environment. In the preferred embodiment 
ofthe invention, the network administrator or network 
management software creates a shutdown record, in- 
cluding an index or time stamp, for powering down a 
specified network computer(s). Prior to broadcast over 

45 the network, a secure one-way hash function is per- 
formed on the shutdown record. The result ofthe one- 
way hash function is encrypted using the network ad- 
ministrator's private key, thereby generating a digital 
signature that can be verified by specially configured 

50 network nodes. The digital signature is appended to the 
original shutdown record prior to broadcast to the net- 
work. Upon receiving the broadcast message, the tar- 
geted network computer validates the broadcast mes- 
sage by verifying the digital signature of the packet or 

55 frame. The shutdown record or other command code is 
only executed following authentication of the broadcast 
message. 
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broadcast message is authorized; and 
executing the remote control command only if 
the broadcast message is authentic and au- 
thorized. 

5 

7. The method of any of claims 1 to 6, wherein the re- 
mote control command includes an index or time 
stamp. 

io 8. The method of any of claims 1 to 6, wherein the re- 
mote control command directs the targeted network 
computer to enter a low power state. 

9. The method of any of claims 1 to 6, wherein the re- 
's mote control command directs the targeted network 

computer to enter a fully powered state. 

1 0. The method of claim 2 on any claim when depend- 
ent thereon, wherein the private key is maintained 

20 jn secure memory space. 

11. The method of any of claims 1 to 10, wherein the 
step of communicating the broadcast message to 
at least one targeted network computer is substan- 

25 tially compliant with the Magic Packet™ specifica- 
tion. 

12. The method of any of claims Ito 11, wherein the 
digital signature is generated during a secure mode 

30 of operation or in secure computer memory. 



Claims 

1 . A method for securely broadcasting remote control 
commands in a computer network including at least 
one targeted network computer capable of respond- 
ing to remote control commands from a network ad- 
ministrator computer or other network computer, 
the method comprising the steps of: 

generating a remote control command; 
creating a digital signature of the remote control 
command; 

appending the digital signature to the remote 
control command to create a broadcast mes- 
sage; and 

communicating the broadcast message to at 
least one targeted network computer. 

2. The method of claim 1 , wherein the step of creating 
a digital signature of the remote control command 
comprises: 

performing a one-way hash function on the re- 
mote control command to generate a signature 
hash value; and 

encrypting the signature hash value with a pri- 
vate key. 

3. The method of claim 2, wherein the targeted net- 
work computer(s) further performs the steps of; 

decrypting the signature hash value portion 
ofthe broadcast message using a public key 
corresponding to the private key; 
performing a one-way hash function on the re- 
mote control command portion ofthe broadcast 
message to generate a verification hash value; 
and 

comparing the decrypted signature hash value 
with the verification hash value. 

4. The method of claim 3, wherein the targeted net- 
work computer(s) further performs the step of: 

executing the remote control command only 
if the signature hash value and the verification hash 
value are identical. 

5. The method of claim 3, further comprising the step 
of invalidating the public key corresponding to the 
private key in at least one network computer such 
that predetermined remote control commands can- 
not be validated. 

6. The method of any of claims 1 to 5, wherein the tar- 
geted network computer(s) further performs the 
steps of: 

utilizing the digital signature to verify that the 



13. A computer system configured to receive secure 
network communications, the secure network com- 
munications having a remote control command and 
35 a digital signature, the computer system compris- 
ing: 

a system bus; 

a processor coupled to the system bus; 
40 power management hardware or software; and 

network interface circuitry coupled to the sys- 
tem bus and the power management hardware 
or software, the network interface circuitry con- 
figured to perform or direct the steps of: 

45 

utilizing the digital signature to verify that 
the broadcast message is authentic; and 
permitting the execution of the remote con- 
trol command only if the broadcast mes- 
50 sage is authentic, wherein the remote con- 

trol command causes a change in state in 
the power management hardware or soft- 
ware. 

55 14. A computer system according to claim 13, further 
comprising: 

a mass storage device coupled to the system 

bus. 



45 
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15. The computer system of claim 13 or claim 14, 
wherein the change in state in the power manage- 
ment hardware or software causes the computer 
system to enter a low power mode. 

16. The computer system of claim 13 or claim 14, 
wherein the change in state in the power manage- 
ment hardware or software causes the computer 
system to become fully powered. 

17. The computer system of any of claims 13 to 16, 
wherein the digital signature comprises a hash code 
representation of the remote control command, the 
hash code representation encrypted with a private 
key, and wherein the step of utilizing the digital sig- 
nature to verify that the broadcast message is au- 
thentic comprises: 

decrypting the signature hash code represen- 
tation of the broadcast message using a public 
key corresponding to the private key; 
performing a one-way hash function on the re- 
mote control command portion of the broadcast 
message to generate a verification hash value; 
and 

comparing the decrypted hash code represen- 
tation of the broadcast message with the veri- 
fication hash value. 

18. The computer system of any of claims 13 to 17, 
wherein the network interface circuitry is further 
configured to substantially comply with the Magic 
Packet™ specification. 



sive to a command(s) from the processor to 
transmit the broadcast message to a computer 
network. 

s 21. A computer system according to claim 20, further 
comprising: 

a mass storage device coupled to the system 

bus. 

10 22. The computer system of claim 20 or claim 21, 
wherein the step of creating a digital signature of 
' the remote control command comprises the steps 
of: 

is performing a one-way hash function on the re- 

mote control command to generate a signature 
hash value; and 

encrypting the signature hash value with a pri- 
vate key. 

20 

23. The computer system of any of claims 20 to 22, 
wherein the broadcast message is substantially 
compliant with the Magic Packet™ specification. 

25 24. The computer system of any of claims 20 to 23, 
wherein the remote control command includes an 
index or time stamp. 

25. The computer system of any of claims 20 to 23, fur- 
30 ther comprising a secure memory space coupled to 
the processor, wherein the private key is maintained 
in the secure memory space. 



19. The computer system of any ofclaims 1 3 to 16, fur- 35 
ther comprising a non-writeable secure memory 
space coupled to the processor, wherein the public 
key is maintained in the secure memory space. 

20. A computer system configured to broadcast secure 40 
computer network communications, the computer 
system comprising: 

a system bus; 

a processor coupled to the system bus; 45 
a processor readable storage medium coupled 
to the system bus for directing the processor to 
perform the steps of: 

generating a remote control command; so 
creating a digital signature of the remote 
control command; and 
appending the digital signature to the re- 
mote control command to create a broad- 
cast message; 55 

network interface circuitry coupled to the sys- 
tem bus, the network interface circuitry respon- 
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